Web Platform Security

Developers should have the tools necessary to defend their creations
against the wide spectrum of maliciousness thrown at them on a daily
basis. We design and implement platform-level features that enable a
robust defense, and work in standards bodies to get them in front of
as many developers as possible.

Subresource Integrity

We've shipped Subresource
Integrity as of Chrome 46. This feature should also be shipping in
Firefox ~43, which is exciting to see.

Upgrade Insecure Requests

We've shipped Upgrade
Insecure Requests as of Chrome 44. This feature should also be shipping in
Firefox 42, which will give us a fairly broad base of support.

Mixed Content

We've been steadily tightening our Mixed
Content blocking over the last ~18 months. The specification has
broad approval from other vendors, who are generally aligning with Chrome's
behavior over time.

Cookies

We have a number of cookie-related proposals floating around that we're
building support for in the IETF's HTTPbis group:

Referrer Policy

Referrer Policy
shipped in Chrome a long time ago, and the new bits we've added to the spec
are trickling out over time.

We need to do some refactoring in order to consistently apply referrer policy
for redirects (basically hoisting the parsing and processing up out of Blink
and into the network stack). Hopefully we'll get that done in Q4 (2015).